Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A7FC911873 for ; Fri, 11 Apr 2014 12:39:12 +0000 (UTC) Received: (qmail 89535 invoked by uid 500); 11 Apr 2014 12:39:09 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 89473 invoked by uid 500); 11 Apr 2014 12:39:09 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 89460 invoked by uid 99); 11 Apr 2014 12:39:08 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Apr 2014 12:39:08 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of trawick@gmail.com designates 209.85.215.53 as permitted sender) Received: from [209.85.215.53] (HELO mail-la0-f53.google.com) (209.85.215.53) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Apr 2014 12:39:05 +0000 Received: by mail-la0-f53.google.com with SMTP id b8so3397221lan.40 for ; Fri, 11 Apr 2014 05:38:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=YdHH0OqLa6o4VbyGUZbFyVFnuQxuXLdZalhpdoolvi8=; b=M88H5EY9ArJYRgPizngHm+mhYZlRTuIB0ZM9zLQv85rO9ey3dXa+gtukPE78p8+qd2 Ght80ipM8cDFTdyh6Kh7hANuObkyBOjF0PfTndNngO0f4yupTUsgrcYBPEZbuN/yp9Ti M1I+EwKnvIiioxmtp4/B4FxtEA016PvLiMDiVBuJ7ZGH3bxaHnqnDLzWWDfvfWem7/+V jxCFooziwqmoOV19UYkqKl6/KTpU4b9HpQxYyTZydwfRVkSC1Kdc0u3+ItQC2sC8zhTl f1IvuRza2IxkgiO2YDUUOM0qPPI8fbDMcB8Ni8Bmhpa7Vqf5R+Jht6JY2OmHHwn4j7JV Yi5Q== MIME-Version: 1.0 X-Received: by 10.112.221.227 with SMTP id qh3mr1181519lbc.55.1397219923551; Fri, 11 Apr 2014 05:38:43 -0700 (PDT) Received: by 10.114.170.132 with HTTP; Fri, 11 Apr 2014 05:38:43 -0700 (PDT) Date: Fri, 11 Apr 2014 08:38:43 -0400 Message-ID: Subject: Mini-advisory on heartbeat bug on http://httpd.apache.org/ ? From: Jeff Trawick To: Apache HTTP Server Development List Content-Type: multipart/alternative; boundary=001a1135f56e376bdd04f6c39d19 X-Virus-Checked: Checked by ClamAV on apache.org --001a1135f56e376bdd04f6c39d19 Content-Type: text/plain; charset=ISO-8859-1 SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1a-f are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug." No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server configuration change besides disabling SSL/TLS completely can resolve this. Instead, a patch to OpenSSL, a rebuild of OpenSSL with the TLS Heartbeat extension disabled, or an upgrade of OpenSSL to 1.0.1g or later is required. If you obtain OpenSSL in binary form with or without Apache HTTP Server, contact the supplier of the binary for resolution. If you build OpenSSL yourself, refer to the OpenSSL project for further information, including the advisory at http://www.openssl.org/news/secadv_20140407.txt . XXXX Have binaries which included an affected level of OpenSSL ever been distributed from our site? I don't see anything from the release/httpd/binaries/win32 directory in the output of svn log -v | grep openssl . (Is that the right check?) -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/ --001a1135f56e376bdd04f6c39d19 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
SSL/TLS-enabled configurations of Apache HTTP Server with = OpenSSL 1.0.1a-f are vulnerable to=A0CVE-2014-0160, the so called "Heartbleed Bug."

No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server= configuration change besides disabling SSL/TLS completely can resolve this= . Instead, a patch to OpenSSL, a rebuild of OpenSSL with the TLS Heartbeat= extension disabled, or an upgrade of OpenSSL to 1.0.1g or later is require= d.

If you obtain OpenSSL in binary form with or without Apache HTTP Server, contact the suppl= ier of the binary for resolution. If you build OpenSSL yourself, refer to = the OpenSSL project for further information, including the advisory at http://www.openssl.= org/news/secadv_20140407.txt .


XXXX

Have binaries which included an affected level of OpenSSL ever been d= istributed from our site?

I don't see anything from the release/httpd/binaries/win32 direct= ory in the output of svn log -v | grep openssl . (Is that the right check?= )

--
Born in Roswell..= . married an alien...
http://emptyhammock.com/

--001a1135f56e376bdd04f6c39d19--